In the build up to deadline day when we were all busying ourselves with all things GDPR, did you or your business make any decisions you maybe now regret?
Were you misinformed perhaps or did you panic, did you formulate plans that led you down a digital rabbit hole? Many did.
Save our GDPR souls!
One of the stories we all heard, and that still makes me wince, is the one where the company had (add any number you like) contacts on their database, contacts that they had been happily marketing to in a compliant fashion, and could have continued to market to but were told GDPR meant they could not. Instead, they sent out an email saying “if we don’t hear from you, you won’t hear from us” or “if you don’t respond giving us your consent we cannot continue to send you our lovely emails about self tapping screws!” shudder.
A mass exodus ensued and all of that hard earned contact data and potential revenue disappeared into the ether(net).
Another questionable decision or approach that we saw some organisations make was bringing in help from organisations that until recently only provided accountancy, HR or cyber security support, and we saw many ‘specialists’ popping up over night.
Many organisations found themselves turning to their IT supplier, or relying on their own IT departments to address their GDPR compliance. IT is an important part of the journey to compliance but IT knowledge and experience alone will not get you to where you need to be. Compliance never relies on one skill set or one person alone; it takes an all-inclusive group effort.
Experience and knowledge is everything when everything is at stake.
So what should I do to now?
Being proactive by carrying out reviews is part of the work you should be doing in relation to your data protection practices.
Try looking at the results from previous mapping exercises, reviewing your policies (and updating where necessary) may help you understand where you went wrong and what you can do better, and may help stem the tide of potential future losses.
Don’t let that work you started lay dormant. Your controller and processor spreadsheets, for instance, are so important to an organisation. If they are kept up to date you can see the gaps that need to be addressed and act on it.
When you have the correct policies and procedures in place you are much less likely to panic during a high stress situation (data breach/Subject Rights Requests) and make a mistake, causing more issues, and potential fines. Therefore carrying out detailed and regular reviews is fundamentally important.
Equally important to all of the above is the training of your people and not setting them (and you) up to fail. Training is an inexpensive necessity and why wouldn’t you want to look after any of your commodities? Be that people, data or a well earned good name.
Human error can prove more expensive and more commercially embarrassing than you might think.
There is no place for complacency in compliance
If the thought of re entering the compliance ring terrifies you, or you don’t know where to begin, it’s okay to bring in some help. So long as it is the right type of help.
The Data Protection Team at Stephens Scown has the expertise and experience to provide your business the kind of support that encourages and helps breed confidence. Not only do you get quality legal advice but you also get practical support to implement the changes needed to be compliant. We can provide all of the policies and procedures you need, and assist with data breach analysis and response and Subject Rights Request analysis and support. Our Virtual Privacy Officer offering stands out in the marketplace for this very reason. We can also provide excellent online training modules co-created by us with Bluegrass.